• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1715
  • Last Modified:

HS323 through an ASA

I have a setup as follows

H323 v codec ----- Cisco 877 -----VPN-----(outside) Cisco ASA 5510 (inside) ------- H323 Gateway.

The problem is that the H323 video coded is not registering with the H323 gateway. Other codes which do not go through the firewall register with the Gateway ok.  The Routing, VPN and Connectivity between the two gateways is fine, they can talk to each other on any port on any protocol.

A packet capture on the 877 shows that the codec is sending out H323 register packets. With a show ipsec sa detail you can see the packets are being encrypted as this is currently the only traffic on the link. On the cisco ASA you can see the packets are being decrypted but then they vanish. A packet capture on the inside interface of the firewall shows no traffic from the video codec.

Full debugging on both the ASA and 877 does not show any errors. I have tried having both inspect option hs323 turned on and off for the ASA on the .

Anyone got any ideas on why this traffic would be blocked?



 
0
question01
Asked:
question01
  • 7
  • 3
  • 2
1 Solution
 
Istvan KalmarHead of IT Security Division Commented:
0
 
netcmhCommented:
policy-map global_policy
 class inspection_default
  inspect h323
  inspect sip

Would be all that's required, I think.
0
 
question01Author Commented:
Yes I have tried it with the following config and without.  

policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
 
Makes no difference.

Does the global_policy definatly apply to traffic coming out of a VPN?
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
question01Author Commented:
Why would I need SIP?
0
 
Istvan KalmarHead of IT Security Division Commented:
did you applied the policy the outside interface?
what shows the logs?
0
 
question01Author Commented:
the global_policy applies to all traffic by default doesn't it?

The only log from the ASA which mentions the codec is

Tear-down local-host outside:10.x.x.x duration: 00:00:00

The 10.x.x.x is the codec. This logs gets created every 10 seconds or so with the duration at 00:00:00
0
 
question01Author Commented:
Canberra-ASA# show service-policy inspect h323 h225

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
        h245-tunnel-block drops 0 connection

Interface outside:
  Service-policy: pmap
    Class-map: cmap
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
        h245-tunnel-block drops 0 connection
Canberra-ASA# show service-policy inspect h323 ras

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
        h245-tunnel-block drops 0 connection

Interface outside:
  Service-policy: pmap
    Class-map: cmap
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
        h245-tunnel-block drops 0 connection
0
 
Istvan KalmarHead of IT Security Division Commented:
it shows that the inspection not recognized the h323 packets...
0
 
question01Author Commented:
yes it looks that way. So why would it not be inspecting the h323 packets?

does the global policy apply to traffic coming out of a vpn?

0
 
question01Author Commented:
After a reboot of the firewall problem is resolved. Not sure what was causing the problem but the VPN was playing up with some strange errors.

0
 
question01Author Commented:
reboot fixed it.
0
 
netcmhCommented:
glad you got that resolved.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 7
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now